First some background. I used to work as an information security consultant at one of the largest PCI consulting firms. When I worked at the company, I was a QSA and held other related PCI Certs. When I left that firm, I went to work in a consulting firm that was not a QSA, so I had to allow my QSA to lapse.

Recently I have decided to leave consulting in order to locate a position at a corporation, where I can help them with their governance, risk, and compliance initiatives. I have located an opportunity with a retailer, who has posted for such a position, but the job description states that all applicants must be QSA Certified.

I know that I can do the job. My skills as a QSA have not lapsed. Quite frankly they were not that difficult to acquire. However, I cannot claim that I am currently a “QSA”.

I think that I have two options – either to list it on my resume, and explain it later – or to list on my resume that I am a former “QSA” – however, I feel that this could be received negatively by the internal screener.

Can you provide me some advice?

Signed,

“The Artist Formerly Known As “QSA”

Dear “Artist”:

This is a very interesting situation.

Your example points out the exact problem with key word screening criteria, and job descriptions written by the uniformed. What may also be funny is if the internal screener was also screening out candidates who currently work at consulting firms – which in essence would eliminate the entire candidate pool and leave the position unfilled.

First of all, you can never ever misrepresent the truth on a resume. This is a show- stopper, a red flag, and questions your integrity and ethics. Companies will check your certifications, and when it comes up that you do not hold the QSA, your interview process will come to an abrupt end.

The best advice that I can give you is to list on your resume: “Former QSA” – Your Certification Number – and the Years You Held The Certification. You can also list your other PCI related certifications as well with a similar format.

Underneath your certifications and in the body of your resume, you should explain in one sentence or bullet point as to why your QSA certification lapsed. You need to show the screener – that it is impossible to maintain a QSA without working at a Certified Assessor. If necessary – you can link a website –that could reference this, so that they can validate it.

Unfortunately, we live in a world where not all involved in the decision making process understand the nature of qualifications for information security roles. Considering that many in the HR field are trained to exclude on “key words” and not to investigate further, it is very possible to be overlooked for a role for which you are qualified and are an excellent candidate.

I would like to reiterate to all of the Infosecleaders in the audience, that it is in your best interest to assist your HR team members and educate them when you are enlisting their help in recruiting for an experienced information security professional.

I am writing to you as my last sounding board, as I believe that I have made the decision to leave the world of “employee” for the career of “1099 information security consultant.”

I have arrived at my decision due to the fact that I am frustrated working at my current employer. I worked for a boutique professional services firm, where I am the only person who delivers my specific type of technical information security services – application security and code review. All of my co-workers do a lot of policy, compliance and governance work – and my firm has a pretty large PCI practice.

My company likes to tell its customers that we are adept at performing technical security assessments, web application tests, and code review – but in this case, in essence the “firm” is “me.” When our sales team sells work, my phone rings off the hook. This means that I am responsible for additional travel, RFP’s, delivery, and reports – much more than my other colleagues whose skills are repeatable and more plentiful. Although I am unique, my compensation is not, and I do feel underpaid.

My thought is to start my own business, leave my current employer and offer them to use my services to their customers as a 1099. This should enable me to earn additional monies and give me some flexibility on the projects I want to work on. Upon completion, my plan would be to partner up with some others independent consultants, and try to find additional work.

I figure that in the end, if it does not work out, I can always get another job with a services firm similar to my current employer.

Do you have any words of wisdom for me? I have always wanted to be the president of a company, even if I am its only employee.

Sincerely,

Mitt Santorum

Dear Mitt –

The first thing that I will do is to agree with you. If you decide that you want to leave your current consulting company, to begin your own venture, you most likely will have very little risk. If you decide after a short period of time that you do not like working as an independent, you can always go back to the work force and attempt to find a job.

However, I am going to caution you to think through your decision a little bit more thoroughly and begin to think of the bigger picture, which is your career. A decision to leave traditional employment and enter the world of independent contracting is great, when your skills are in demand and the market is hot – but good times do not always last forever. If you decide to take this route, you need to be cognizant of this – and make sure that you continue to invest in yourself and your career, and make sure that you remain on the leading edge of your subject matter expertise.

One thing that you may or may not be aware of is how good your skills are in comparison to the remainder of the market. In your company, since you are the only one who does what you do, you may be the “big fish” in the “little pond.” Your skills may only be viewed as “outstanding” because of what they can be compared to.

In order to truly be successful as an independent consultant – you have to be exceptional and unique.

Before deciding to step out on your own, my advice would be to join a firm that has an area of specialty that aligns with your core competency of application security and software review. I would select one of the smaller boutique firms – maybe one that has between 10-30 people – who are known in the industry for their expertise in this area. The first indication of your talent should be your success in the interview process. These firms traditionally hold a high bar for talent, passing these obstacles with a good degree of ease, should be the first indication that you have talent. Then, upon joining the firm – I would treat your employment like it was your own business and incorporate all of the elements into it – delivery, customer management, and sales.

See how this goes for a year or so, and see how successful you are, in all of the stated components. You should be able to have enough data to understand if you would be happier in this type of environment or out on your own as an independent. At the end of this experiment, you will definitely be able to make a more informed decision about your future.

Regardless of your choice, you are always the President of your own career, and the CEO of You, Inc.

I have recently applied for a position that I believe will advance my information security career. In submitting my resume via the company’s internet posting, I tailored many of my accomplishments directly to the criteria of the position description. I have to admit that I am a very skilled wordsmith, and may have taken some liberties in the description and the scope of the work that I have performed.

For example, I often serve as a team lead and project manager for technical engagements, but I have never managed people directly. The role that I am applying for has direct reports. Also, the position description calls for an understanding of some specific information security tools that the company uses – like data loss prevention and GRC compliance software. While I have experience with these concepts and similar tools, in depth knowledge and experience with these particular tools has eluded me. Finally, the position calls for the ability to travel 50% of the time. I am really not interested in this amount of travel, but I have a friend that works there and she told me that she does not travel any more than 25%.

I am now scheduled to have my first conversation for the interview, a phone conversation with the human resources/internal recruiter – given the things that I have shared with you, do you have any advice on how I should handle her questions? I know that she is going to read the JD verbatim, and ask me questions where my answers may exclude me from consideration.

I really want a chance to speak to the hiring manager and fellow info sec professionals in the group, to articulate my experiences and demonstrate that I have what it takes to be a viable candidate for the role.

Any words of advice.

Sincerely,

Michaele Salahi

Dear Michaele:

I would like to provide you with some advice that is two-fold for your exact situation. First, is that some of the deficiencies that you have pointed our in your skill set may be deal breakers with the resident information security leader, so please tread carefully in your presentation in the skills that you have to offer. There are many items in a job description that are truly requirements of a position, and no matter how great your ambition or creative your presentation, you may have to accept that your skills are going to fall short of expectations.

For example, the role may really need someone who has strong people management skills, which is not found in a “team lead” or “project manager”. The utilization and knowledge of specific tools may be a success factor in the role, and although your friend only travels 25% in their role, this position may require double that amount of travel.

All that being said, I agree with you 100% that the decision should be placed in the hands of the hiring manager and not the internal recruiter/human resources professional. Ideally, the Infosecleader and hiring manager are the ones that best understand their needs, and no matter how adept their level of communication, something get lost in translation – specifically granular job requirements.

You should understand that this misunderstanding is not the fault or responsibility of the internal human resources/recruiter, as it is nearly impossible for someone who works in a general capacity, to understand the nuances of what it takes to understand the specific nature of the role that you are pursuing. However, there are certain elements of the role that HR will understand – the company’s definition of a “Manager”, the importance of specific tool knowledge (although they may not be able to make the jump from tool (i.e. Checkpoint) to concept (Firewalls)), or the amount of travel.

Independent, after doing my job for 15 years, I am of firm belief that it should be every information security professional’s goal to get to the decision maker during an interview process. This is where your “sales skills” should come into play. My advice for you would be to engage the internal recruiter, and leave them with enough confidence from your discussion to move you forward in the interview process.

This will enable you to get the real answers to your questions and demonstrate your level of competence to a knowledgeable party who has the ability to make an evaluation of your skills. When you do get to that level of the interview, you have a responsibility to make it clear to the hiring manager, what your true capabilities are as it relates to the job requirements that they articulate during your discussion.

I am embarking on a job search and I am looking for some help. My first ten years of my information security career has placed me in some interesting environments – serving as a technical information security engineer, working as an information security professional services practice in the area of risk and compliance, and working as a pre-sales engineer for a large information security product vendor.

The truth is, I have enjoyed all of these three roles, and I am interested in a wide variety of opportunities. I feel that my experience and versatility is a good thing, and it allows me to investigate many different career paths.

The question that I have, relates to my resume. Do you have any advice for me on how to craft my resume – to both illustrate my versatility and breadth of experience, and to accurately align my skills and qualifications simultaneously with different opportunities?

Sincerely,

Ralph Furley

Dear Mr. Furley:

Good for you for having three unique and successful career experiences at this point in your career. I can only imagine that you have developed and maintained a set of skills that include technical expertise, customer skills, and persuasive communication and presentation skills.

If my assumption is accurate, you are correct that these skills are in high demand and will appeal to many diverse environments. Since you will be applying to roles in these different types of environments – I will make two suggestions regarding your resume –

The first being that you can write three separate resumes – one tailored to internal information security engineering roles, one tailored to professional services/consulting opportunities, and one tailored to pre-sales opportunities. If you decide to go this route, what I would do, would be to keep the qualifications of the position you are applying for in mind, as you create each resume and highlight the skills that you have acquired in your three different roles. Ideally, each resume will have a “theme” to it, which will align with the specific role that you are attempting to pursue.

For example, if you apply for an internal technical information security position, I would make sure that you make your bullets from your sales engineering role are technical in nature. I would try to find a way to point out the depth of your technical skills in the context of that role.

The second option that you can have would be to utilize the same resume, but to write three unique objective statements that can align with the types of roles that you are applying for. What I would do in each of these statements, would be to allude to the facts that your diverse experiences has provided you with unique perspectives on how information security problems are solved – from an internal perspective, from an external perspective, and with the aid of information security products. By demonstrating these three different perspectives in the body of your resume, and associating your skills with each of your three roles, should create a consistent overall theme.

In closing, having three diverse experiences and perspectives as an information security professional is a very good thing, and provides you with a great foundation

The combination of a well-written resume, and an astute employer who can connect the dots, should provide you with access to many roles that could serve as a springboard to the next stage of your information security career.

I am writing to see if you can help me with a situation that seems to be haunting me as I look for a new job.

I have been working as an information security engineer for the past 10 years, mostly on long term contracts. Each of my contract assignments for the past five years are through the same contracting firm. During these past five years, I have supported over 8 different Fortune 500 customers, in the implementation of various security technologies ranging from IDS, Firewalls, SIEM, DLP, etc. Each of the assignments have spanned from 4 months (shortest) to 16 months (longest). On my resume, I outline each of these projects, listing the customer, the scope fo the project, the duration, and the impact of my efforts.

Now that I am looking for a full time job, in my opinion my resume makes my employment look inconsistent, although I have been working for the same employer (contracting agency) for the past five years.

Do you have any tips on what I can do to overcome this hurdle?

Signed,

Edwin Moses

Dear Edwin:

This may turn out to be our shortest response, but your answer is a simple one.

What you need to do is to create a resume entry, before the projects, demonstrating that you worked with the same company for the past five years. (2-3 lines). Underneath the employer and the date,, you should write a short term description about the company and the nature of your work as a security consultant servicing Fortune clients.

Your resume should read no different then a person who has worked as an information security consultant for for a large consultancy – like a Big X or a large systems integrator – with the exception of being able to demonstrate career progression or titles.

If you are able to place this experience under the larger umbrella, it will let employers know that you are both loyal and have a good deal of diverse information security experience.

That should lift some of your hurdles and help you in your transition.

These results are just the tip of the iceberg – you will have to come to our session at Black Hat if you want the full release. Anyone who is not in attendance at the conference and would like a copy of the results after the conference, you can sign up at Infosecleaders – Research – shortly after the release.

A special thanks to all of those who participated. Thanks for making this a great success. Stay tuned for our next industry survey!

The Professional Development workshop is a half-day program that is designed to inspire the Black Hat attendee to think about their career as an information security professional and assist them in their journey towards the achievement of their long term career goals.

The Professional Development workshop will be divided into five (5) unique information security career topics that will be linked by a common theme – Skill Development and Differentiation.

The program will consist of the following:

1) “The Value of Information Security Certifications Survey” – Research Revealed – 1350 information security professionals responded to an independent survey on the topic – the research will be revealed

3) The Information Security Leader of The Future” - a presentation that will outline the skills that employers are looking for when identifying and selecting their information security leaders.

4) “The Other Side of The Desk” – a panel that will explore the different attitudes and beliefs by job applicant and employer during the interview process

5) “Future Predictions” and “Career Advice Tuesday- Live” – Future trends will be discussed and explored – and attendees will have the opportunity to ask questions about infosec related career topics

The workshop is designed as an interactive forum that should inspire some shared thought and debate between audience members and the presenters.

Attendees should understand that they can elect to either participate in the entire workshop, or to pick and choose from select sessions that have a particular interest to them.

Session Previews:

Session 1 – 1:45 – 3:00

“The Value of Information Security Certifications Survey”

Presenters – Mike Murray and Lee Kushner – Infosecleaders.com

In February of 2011, Infosecleaders.com launched an independent survey on the value of information security certifications. The value of InfoSec certifications is a highly debated topic in the industry, and this is the first independent survey that asks questions to information security professionals (certified or not) – their opinions on topics that include – the motivations for certifications, the impression of the certification bodies, the value of skills vs. certifications, and certifications effect on employment. With over 1350 respondents, the results should be revealing and eye-opening.

Second Place Sucks -

Presenter – Mike Murray

So, if certifications are no longer the magic bullet to get you to your career goals, then what is. The topic of strategic career investments and personal branding will be the focus of this presentation. The presentation will be spent on how you can plan and execute on career investment strategies that will enable you to differentiate from your peers and successfully compete for promotions and external information security leadership opportunities.

(15 minute break)

Session 2 – 3:15 – 4:45PM

3:15 – 3:45PM

“The Information Security Leader of the Future” –

Presenter – Lee Kushner

The skills for information security leaders are changing quite rapidly. As many companies are aligning information security with their core business and branding, information security professionals will need to evolve as well. The presentation will break down the core skill components of what information security professional will need to acquire and demonstrate to be considered for leadership roles in the future.

3:45PM – 4:45PM

The Other Side of the Desk – Different Perspectives on the Interview Process

There are two parties involved in every interview process, the information security professional (the applicant) and the hiring manager (the decision maker). While in essence, both parties ultimately desire the same outcome, their motivations lie in different places. This portion of the presentation will present to the audience the perspective of the candidate and the perspective of the hiring manager, in a way that will educate both parties and enable them to social engineer the interview process, to work to their personal advantage.

Bill Phelps:

Bill Phelps is an Executive Director in Accenture’s security practice, and has spent the past 25 years in technology services. In the past decade, Bill has been a practice leader, company founder, board member and trusted advisor helping organizations with complex management and technology challenges in the areas of information security, data center transformation and technology strategy. Bill currently has overall responsibility for Accenture’s security business in North America. Bill is aggressively growing Accenture’s security team, and plans to hire over security 200 professionals in the coming year.

Justin Somaini:

Justin Somaini is the Chief Information Security Officer at Yahoo! where he’s responsible for all aspects of Yahoo!’s Information Security strategy. With over 15 years of Information Security experience he’s seen as a leader in industry by promoting an evolution of the security and risk management models. Through his public speaking and industry involvement he’s given extensive talks and interviews on the threat landscape, public policy, security management and risk management. Prior to joining Yahoo!, Justin was the CISO at Symantec. Justin has also held security leadership roles at VeriSign, Charles Schwab and PricewaterhouseCoopers LLP.

4:45 – 6:00PM

Predictions for the Future and Career Advice Tuesday – “Live”

Presenters – Lee Kushner and Mike Murray

The employment market is dramatically changing – and the closing session will begin with information security employment predictions (based on experience and research) for the next ten years. Once completed, this will be followed by a version of “Career Advice Tuesday” – “Live”. All attendees can have their personal information security career questions answered in an open forum. Topics will include skill development, compensation negotiation, career investments, career planning, and anything else you want to ask about your Information Security Career.

Wanted to ask a question about my resume and including my outside of work activities. Without getting into specifics – I take part in some outside activities that some may consider to be polarizing. Although I know that this site is anonymous, I would like to keep them to myself – however, for arguments sake, lets say that they fall into categories that would include one of the following:

1) My Political Beliefs

2) My Religious Beliefs

3) My Sexual Preference

4)My Ethnicity

I have followed your advice, and not only am I a member of this group, but I am also a leader. My group has raised a great deal of money, performed good work in the community, and I am very proud of the work that we have done. My participation in these groups have enabled me to develop and refine some additional skills that benefit me in my job as an information security professional.

I ultimately would like to list them on my resume, because I believe that they reflect well. However, I have learned from reading your site that when it comes to employment and selection of candidates - ”beauty is in the eye of the beholder”.

My fear is that by listing these activities, I will do more harm than good, and I will close more doors than I will open.

Do you have any advice?

Signed,

“Wanna B. Free”

Dear Wanna:

Your question is a good one and I think that the answer that you are searching for can fall into two categories – 1) Focusing on your Goal (Getting a Better Job) and 2) Being Honest with Yourself.

If the goal of the resume is to get a better job, I think that you are taking a big risk in featuring your outside activities on your resume, if you believe that they are as polarizing. By including these items on a resume, you begin to eliminate your audience and you enable people to make prejudgments about you as a person. Granted if some of the employers share the same interests or beliefs, that may give you a leg up in the process, however since many people will be viewing your resume, you become more likely that you will encounter someone who may disqualify you based exclusively on this activity.

In addition, today the legal environment in the workplace is more risk adverse than ever. Granted, companies preach the concept of diversity, however at the same time they try to prevent the work place becoming the “soap box” for the expression of people’s personal beliefs, especially if they may offend others or pose a distraction. Sometimes no matter how talented the candidate, companies simply do not want to take this risk.

To compound on this, many times hiring managers will ultimately choose an alternate candidate, simply due to the fact that they may be exposing themselves if they hire someone that may be more of an outlier, as opposed to someone who is viewed as a safer choice. Remember, they have a job too!

2) Being Honest With Yourself – I think that you have to determine if this outside interest, you bring into the work place. Many people cannot separate their avocations from their vocations, and their outside interests consume them in all environments. If you recognize that you fall into this category, my advice would be to list it.

The reason for this, is that this outside interest speaks to exactly who you are. And if this is the case, the company should know it, and you should feel comfortable that they are accepting of you (in your totality). I think that by being honest with yourself- and your employer – you set a strong foundation for a long lasting relationship. However, if by being honest you repel the employer and are not hired, you may experience short some initial remorse. However, in the long run you will benefit for not having to work in an environment that does not embrace you or your extracurricular activities.

In the end, I think that resumes in general are not an ideal form of communication, so I do believe that it would be best to list your interest, but soften it a bit so that it is not viewed as polarizing, but still provides a potential platform for discussion. If you eventually get selected for an interview, you should figure out if you want to bring this up with members of the interview team during a discussion. In this form of communication, it may be easier for you to articulate your external interests and demonstrate how they have effected your personal and career development in a positive way.

Thanks for asking the question. Many people struggle with this. Hope that the answers are useful to you and to others.

“First of all, those clever notes seem to contain more than their fair share of typos. If I see a typo on a resume or cover letter, I immediately discard it. I don’t care about your qualifications if you send me a letter with typos in it. ”

On this point, I’m in 100% agreement – it is not that hard to ensure that you proof-read your resume. It’s also not that hard to ensure that Word has grammar-checking turned on, and that any egregious grammatical errors are dealt with.

There’s a branch of economics known as Signal theory that deals with information flow. Signal theory is concerned with how information implies other information. As a (trite) example, the guy who drives an expensive car may be trying to convey information to the people around him about his social status, his job, etc.

In the case of the typo on a resume or a cover letter, it serves as a very effective signal to a potential employer. The information conveyed is: “this didn’t matter enough to me to put in the effort to run spell check”.

That is not the signal you ever want to send. So, get the basics down. Make sure that the structure of your resume is consistent. Everything is spelled correctly and in appropriate English sentences. Have at least one person proof-read your resume (and if you can’t find anyone, send it to me and I’ll proof-read it just to save the hiring manager the pain). And always, always, always make sure that you spell the hiring manager’s name right.

This stuff is simple, but if more people did it, I wouldn’t have to say it.

The experiences that I had as a student-athlete really helped shape my character and had a positive effect on my life as a professional. To this day, I can think of many times in my business career, where I referenced past experiences on a baseball diamond to help me solve problems in the work place. To this day, I remain a fan of college baseball, and more specifically my alma mater East Carolina University.

This upcoming weekend is special to me. East Carolina University is playing their arch rival, University of North Carolina in the NCAA Super Regional Baseball tournament. The winner will advance to the College World Series. I will be glued to the TV set, and if ECU emerges victorious I will be off to Omaha, Nebraska next weekend for the College World Series. ECU is a big underdog, but stranger things have happened in the history of sports.

It led me to think, which of my personal interests would I list on my resume and what value would they have to me in the job search process. I began to ask myself the following questions. Would it make sense for me to state that I am a big fan of college baseball? What would be the best way to express my experiences as a student-athlete? Could any of this help me get noticed by an employer? Maybe it would be better for me to leave this off entirely?

As I read many resumes, I often see people list their personal interests somewhere down at the bottom. I am amazed by some of the things that I learn about people from this information. Some of it is fascinating. I have had ball room dance champions, auctioneers, race car drivers, professional wrestlers and hypnotists. I have also seen the mundane. People have listed that they enjoy leisure travel (who does not like a vacation), reading (should that go without saying), and fine dining (watch out corporate Amex).

Remember, that anything that you put down on paper will be dissected and scrutinized by many different reviewers. It is just as easy to inspire a negative reaction as it is to evoke a positive response.

Regarding my example, it is quite possible that the interviewer could have a negative opinion of “jocks,” may not like baseball, or be a fan of a rival school. These items could negatively impact their opinion of me. On the other hand, the interviewer could have a strong respect for athletics and the commitment necessary to achieve and compete at a high level. They may also draw the correlation that involvement in team sports would translate well to their corporate environment. At the simplest level, they may be a baseball fan or even better an ex-ballplayer themselves. All of the above could lead to an inspired discussion, that could transcend the actual interview itself.

Unfortunately, you may never know the reaction until you have a chance to observe it in person, it is a calculated risk. I believe that you can use these guidelines to help you make a good decision:

1-Anything that you list should not be too polarizing. Whatever you list, should not ilicit an emotional response from the reviewer. In my example, baseball is relatively harmless, it is still considered the National Pastime. Listing my political beliefs would alienate approximately 50% of the population.

2- List items that enforce the qualities necessary for success. Anything that you list, should be able to help you demonstrate a skill or skills that can translate well in the position. For example, if one of your hobbies were chess, and you had a high ranking, I would list it. I believe that would convey traits that include dedication, strategic thinking, concentration and intelligence.

3-Make sure your items do not carry a negative connotation. For example, one could argue that a skilled poker player would have the same characteristics of a chess player. However, when people think of poker, they immediately think of gambling. It is possible that this could be an activity that would turn someone off.

4- List a skill or interest that is easy for others to relate to. A good example of this would be the ability to play a musicalinstrument. Everyone can relate to music. There is a natural correlation between music al proficiency and an aptitude for technology. Just make sure that if they ask you to play something at the holiday party, you are able to do so!

5-Show leadership. Leaders traditionally can not help leading – even in their non work activities. If you are listing a group or organization, show that you are not afraid to gravitate toward responsibility. This could be something as simple as being a Troop Leader for Boy/Girl Scouts, or the Secretary of a Community Organization.

6-Avoid average interests. An interest should make you appear to be more interesting and different. It should help set you apart from the others. Listing that you enjoy concerts, movies and sporting events -is great for a dating site – but lousy for the purpose of getting a job.

7-You can almost never go wrong with charitable causes. Avoid listing charitable causes that can also be construed as political.

8-Make sure that your interest is not too time consuming. Your employer should not be able to even remotely infer that your interest will interfere with your work responsibilities.

In closing, listing a personal interest can break down barriers during an interview process and create a more relaxed environment for discussion. It can help create a common bond between interviewer and interviewee in an accelerated time period. In the extreme, it could also be the ”tie-breaker” in comparing two similar candidates for a position.

Use your best judgement when deciding on what interests to list, and how to list them. When in doubt, choosing not to list anything is also a suitable option.

For the record, I chose not to list my interest in college baseball, but have chose to disclose my experience as a Student-Athlete. I have placed this under my education activities on my LinkedIN profile, as follows: Varsity Baseball, Scholarship Athlete, Academic All-America.